It takes almost five months to detect, contain a threat
The average time taken to detect and contain a threat within a business is around 145 days, which is far too long in a fast-evolving threat landscape.
This is according to Rhys Vincent, lead security solutions engineer EMEA at Rapid7, who told delegates at the ITWeb Security Summit 2017 that organisations need to respond faster. "The time taken to detect and contain a threat has dropped from around 200 days a few years ago, but 145 days is still far too long. It gives attackers over 142 days to look at your information."
Vincent outlined the typical attack chain, which he said starts with infiltration, and moves to exploring the network, seeking new ports and vulnerabilities and pulling information back from the machine.
"The attackers then start to move laterally across different machines within the organisation and these new machines expand the discovery, so it's a cyclical process. Once the mission target has been found, the attacker may also keep a back door open so that even if the threat is discovered or contained, the attacker could return six or 12 months later to resume harvesting information."
There was an increase in the use of remote file execution too, he said, which made detection more difficult. "There is more of this because - why create malware when I can leverage common processes within the system and so mask the activity?"
The biggest challenges hampering security teams' ability to detect and contain threats included alert fatigue and portal fatigue: "There are too many false positives and lots of different point security products. Because there are so many, it becomes easy to lose alerts; and it becomes difficult to see the context of the attack. When too many siloed solutions must be viewed and compared, you end up with portal fatigue, which hampers detection," he added.
To improve detection and containment, security teams needed good data collection, deception technology such as honeypots, endpoint detection and response (EDR) capability, and the ability to apply user behaviour analytics (UBA) to analyse what normal users were doing in order to detect anomalous activity, he said. "One alert doesn't tell the whole story - you need context to be able to remediate and close the system against future attacks."